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Abstract. We construct extension rings with fast arithmetic using isogenies between elliptic 
curves. As an application, we give an elliptic version of the AKS primality criterion. 

1. Introduction 

Classical Kummer theory considers binomials of the form x'^ — a. where d ^ 2 is an integer 
and a is a unit in a (commutative and unitary) ring containing a primitive d-th root of unity 
C,. The associated i?-algebra S = i?[x]/(x'^ — a) has shown to be extremely useful, including 
in very recent algorithmic applications such as integer factoring and discrete logarithm com- 
putation [12], primality proving [1, 6], fast polynomial factorization and composition [14], low 
complexity normal basis [20, 11, 2] of field extensions and ring extensions [17]. 

Part of this computational relevance is due to the purely algebraic properties of S: a finite 
free etale i2-algebra of rank d, endowed with an i?-automorphism a : C,x such that R is the 
ring of invariants by cr in .S (see Section 3.1). However, there are more geometric properties 
involved. For example, we can define the degree of a non-zero class in i?[x]/(x'^ — a) to be the 
smallest degree of non-zero polynomials in this class. This degree is subadditive and invariant 
by the automorphism a. To understand this, it is sensible to introduce the multiplicative 
group Gsyn = Spec{R[x,l/x]) over R and the multiplication by d isogeny [d\ : Gm — Gm- 
Then x = a defines a section A of Gm Spec(i?) and S can be seen as the residue ring at 
= ['^]~^(^)- The kernel of [d] is the disjoint union of d sections in Gm{R)- Let T be the 
one defined by x = C. Translation by T defines an automorphism of that stabilizes ^a- 
One can then view elements in S as congruence classes of functions on Gm modulo ^a- 

The main restriction of classical Kummer theory is that not every ring R has a primitive 
d-ih root of unity. One may look for an auxiliary extension R' D R that contains such 
a primitive root, but this may result in many complications and a great loss of efficiency. 
Another approach, already experimented in the context of normal bases [9] for finite fields 
extensions, consists in replacing the multiplicative group Gm by some well chosen elliptic 
curve E over R. We then look for a section T G E{R) of exact order d. Because elliptic 
curves are many, we increase our chances to find such a section. We call the resulting algebra 
S a ring of elliptic periods because of the strong analogy with classical Gauss periods. 

The first half of the present work is devoted to the explicit study of Kummer theory of 
elliptic curves and, more specifically, to the algebraic and algorithmic description of the residue 
algebras constructed as sketched above. The resulting elliptic functions and equations are not 
quite as simple as binomials. Still they can be described very explicitly and quickly, e.g. in 
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quasi-linear time in the degree d. The geometric situation is summarized by Theorem 1 and 

the /2-algcbra S of cUiptic periods is described by Theorem 2. The second half of the paper 
proposes an elliptic version of the AKS primality criterion. A general, context free, primality 
criterion in the style of Berrizbeitia is first given in Theorem 3. This criterion involves an 
i?-algebra S where R = 'Z/n'Z and n is the integer to be tested for primality. If we take S to 
be R[x]/{x'^ ~ o), we recover results by Berrizbeitia and his followers. If we take S to be a 
ring of elliptic periods, we obtain the elliptic primality criterion of Corollary 2. 

While the proof of Corollary 2 uses the results in Section 2, much of Section 3 is independent 
of Section 2. Readers only interested in primality proving may skim through Section 2 and 
read Section 3, then come back to Section 2 for technical details. 

2. ISOGENIES BETWEEN ELLIPTIC CURVES 

In this section, we use isogenics between elliptic curves to construct ring extensions. To 
this end, we extend the methods introduced by Couveignes and Lercier [9] in two different 
directions. Firstly, we provide efficient explicit expressions for the constants that appear in 
the multiplication tensor of the ring of elliptic periods. Thanks to these formulae, one can 
construct the ring of elliptic periods in quasi-linear time. Secondly, we explain how these 
methods, originally introduced in the context of finite fields, can be adapted to the more 
general context of rings. 

We recall in Section 2.1 more or less classical formulae about elliptic curves and isogenics 
over fields. In Section 2.2, these formulae are proved to hold true over almost any base ring. 
In Section 2.3, we use isogenics to construct extension rings and we finally give a numerical 
example in Section 2.4. 

Notation: If a = (ai)igz/dz ^^id /? = (A)iez/<iz ^re two vectors of length d, we denote 
by a *j P = ctiPj-i the j-th. component of the convolution product. We denote by 
a{7x) = {ai-i)i the cyclic shift of "a , by "a o /? = {ai(5i)i the component-wise product and 
by "a * /3 = ("a *i /? )i the convolution product. 

2.1. Elliptic curves over fields. In this section, K is a field with characteristic p and E/'K. 
is an elliptic curve given by a Weierstrass equation 

Y^Z + aiXYZ + azYZ"^ = + a^X^Z + a^XZ'^ -h ae^^ . 

We set 

62 = a? + 4a2 , 64 = 0103 + 2a4 , fee = a| -|- 4a6 , 
68 = fliOe + 40206 — 010304 -I- 02O3 — o| . 

We denote by O = [0 : 1 : 0] the origin. 

Following Velu [26, 25] and Couveignes and Lercier [9], we state a few identities related 
to a degree d separable isogeny with cyclic kernel I : E ^ E' . We exhibit in Section 2.1.3 a 
normal basis for the field extension K(£?)/K(£^') consisting of degree 2 functions. We study 
in Section 2.1.4 the matrix of the trace form in this normal basis. 
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2.1.1. Some simple elliptic functions. If A is a point in -E'(K), we denote hy ta E ^ E the 
translation by A. Following [9, Section 2], we set xa = xo t-a and yA = y° t-a- 
We check that 

XAxix-x{A)f = {as + 2y{A) + aix{A)) y + x{A)x'^ + 

+ (04 + alx{A) + aias + 2a2x{A) + aiy{A) + x{Af) x 

+ al + oia3a;(^) + a3y{A) + a4x{A) + 2aQ . (1) 

We do not give an explicit expression for yA but we check that x (a; — x{A))^ can be written 
as a polynomial in Z[ai, 02, 03, 04, ae, x{A),y{A),x, y] . We also check that 

f f AWf f AW - '^3{ai,a2,a3,a4,ae,x{A)) -03(01, 02, 03, 04, ae, 

{xA-x{A)){x.A-x{A))- (a;_^(A))2 x-x{A) 

where ^3(01, 02, 03, 04, oe, x) is the so called 3-division polynomial: 

03 = 3a;^ + b2X^ + Shx'^ + Sbex + bs , 

and 

V'3 = V'3/3 = _^ ^^^2 _^ 264a; + be . 

We also check that the resultant of 03 and -03 in the variable x is 

ReSa.(V'3,03) = -A' (3) 

where A G Z[ai, 02, 03, 04, ae] is the discriminant of the elliptic curve E. 

If A, B and C are three pairwise distinct points in E{K.), we define T{A,B,C) as in [9, 
Section 2], 

- ^) - y{A - B) 
x{C-A)-x{A-B)- 

Taking for C the generic point on E, we define a function ua,b £ by ua,b{C) = 

T{A,B,C). It has two simple poles: one at A and one at B. The following identities are 
proven in [9, Section 2]. 

T{A,B,C) = r{B,C,A) = -r{B,A,C)-ai, 
= -r{-A,-B,-C)-ai, 
UA,B + UB,c + uc,A = r(A, S, C) - ai , 

UA,BUA,C = XA + r(A, B, C)UA,C + r(^, C, B)UA,B 

+a2 + xa{B) + a;A(C) , (5) 
"^Xb = XA + XB- aiUA,B + xa{B) + 02 . (6) 

We further can prove in the same way 

xcUA,B = T{A,B,C)xc + xb{C)uc,b - xa{C)uc,a + yA{C) - yB{C) , 

XAUA,B = yA + xb{A)ua,b - yB{A) , 

XBUA,B = -yB - aiXB - 03 + xb{A)ua,b - yB{A) . 
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2.1.2. Vein's formulae. Let d ^ 3 be an odd integer and let T G -E'(K) be a point of order d. 
For k an integer, we set = x^t, Vk = VkT a^id following Velu [26], we define 

x' = x+ J2 - ^(^^)] and y' = y + ^ [yt - y{kT)] . (7) 



We also set 



Wi = ^ Qx{kTf + h2x{kT) + hi, 

l^fc^(d-l)/2 

= ^ l^x{kTf + 2b2x{kTf + 2,hAx{kT) + hQ^ 

l<ifc^(<i-l)/2 

04 = 04 — 5u;4 , 

a'g = ae — 621^4 — 7u;6 , 



and 



a\ = 01, 02 = a2, a'g = 03 . (8) 

Velu proves the identity 

/ /\2 I III, II I l\3 I / / l\2 I II, I 

iy) +a^xy + a^y = [x ) + a2{x ) +04^+00. 

So the map {x,y) 1-^ {x',y') defines a degree d isogeny I : E ^ E' where E' is the elliptic 
curve given by the above Weierstrass equation. 

2.1.3. Elliptic normal basis. Let 

Uk = UkT,{k+i)T and Uk = aukT,(k+i)T + b (9) 
where a 7^ and b are scalars in K chosen such that 

^fe = i- (10) 



Such scalars always exist by [9, Lemma 4]. For k and / distinct and non-zero in Z/dZ, we set 

Tk,i = T{0,kT,lT). (11) 

Recall 

y-y{-kT) 

^^''^^ = x-x{kT) ■ ^'^^ 

We check that 

Uk = UkT,{k+l)T = Uo,(k+l)T - UO,kT + Ffe.fe+l • (13) 

The system {uk)kez/dz is a basis of K(£^) over K.{E'). More precisely, we have the following 
lemma, that generalizes Lemma 5 of [9]. 

Lemma 1 (A normal basis). Let E be an elliptic curve over a field K. Let T G E{K.) be a 

point of odd order d ^ 3 and I : E E' be the degree d separable isogeny defined from T 
by Vein's formulae. Let {uk)k&/di be the functions in K(£') defined above. Then the system 
{uk)k&/di is a K{E')-basis ofK{E). 

Moreover, let h D K. be an extension of K and let A G E'(h) be a non-zero point. Let 
B G -E'(L) be a point on E such that I{B) = A and let 

I^-^\A) = [B] + [B + T] + [B + 2T] + ■ ■ ■ + [B + {d- 1)T] 
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be the fiber of I above A. Then the three following conditions are equivalent: 

(i) The images of the {uk)j^f^^/^j_ in the residue ring at I~^{A) form a li-basis of it; 

(ii) The matrix {uk{B + lT))j^^i^'^/^'^ is invertihle; 

(Hi) The point A is not in the kernel of the dual isogeny I' : E' ^ E. 

Proof. We preliminary base change E and E' to L and observe that the {uk)kez/dZ L- 
hnearly independent and form a basis of the Hnear space C{I~^{0')) where O' is the origin on 
E' and I-^{0') = [O] + [T] + [2T] + • • • + [(d - l)r] is the kernel of I. Indeed, let {Xk)k&z/dz 
be scalars in L such that / = Ylik&/d'L ^kUk is the zero function. Taylor expansions of / at 

poles of Uk (see [9, Section 2]) show that all are equal. Since the sum of the Ujt is 1, we 
deduce that every is zero. So the {uk)ke'L/dZ ^'^^ L-in dependent. They form a basis of 
C{I~^{0')) because /~^(0') is a degree d divisor (Riemann Roch theorem). 

Now, let us prove the second part of the lemma. 

To prove that (i) and [ii) are equivalent, we notice that a vector {\k)k&/d'ij is in the kernel 
of the matrix {uk{B + lT))k^i(,z/dz if and only if Y^kaz/dZ^kUkiB + IT) is zero for every 
/ G TLjdTL. This is equivalent to the vanishing of the function 'Ylkez/dZ^kUk on the fiber 
I~^{A). Incidentally, we notice that the matrix {uk{B + lT))f^^i^2,/dZ is circulant. 

To show that {Hi) implies (i), let {Xk)k&./dZ be scalars in L such that / = "^k&z/dZ^kUk 
vanishes on the fiber I^~^\A). If the Afc are not all zero, then / is non-zero, and its divisor 
is l(-^\A) - /(-i)(0')- We deduce that Efcez/dz[^ + " t^^l ^ principal divisor. Thus 
Efeez/dz(^ + kT- kT) = dB = I' {A) = O, the origin on E. So A lies in the kernel of /'. 

Conversely, if A lies in the kernel of /', then the divisor I^^^\A) ~ I^^^\0') is principal. 
Let / be a non-zero function on E such that (/) = I^^^\A) — I^^^\0'). Since / lies in 
C{I^^{0')), there exists a non-zero vector {Xk)keZ/dZ in such that / = "^keZ/dZ ^k'^k- But 
/ vanishes on the fiber I^^^\A), by construction. So (i) implies (Hi). 

To finally prove the first part of the lemma, it is now enough to take for A the generic 
point of E' /K.. The generic point is not in the kernel of /' and thus the system {uk)kez/dz is 
aK(^')-basisof K(S). □ 

2.1.4. The trace form. Lemma 1 above provides a basis for the residue ring at a fiber I~^{A) = 
[B] + . . . -\- [B + {d — 1)T] where A G E'(K.). We need fast algorithms for multiplying 
two elements in this residue ring, given by their coordinates in our basis. A prerequisite 
is to determine the coordinates of x{B) in the basis {uk{B))i.^^/di^. More generally, we are 
interested in the coordinates of x in the basis {uk)k£Z/dZ of the K(£^')-vector space K(£'). 
The reason is that when multiplying Uk and ui there appear some translates of x. See 
Eqs. (5) and (6). We will give explicit expressions for these coordinates and explain how to 
compute them efficiently. We shall make use of the trace form of K.{E)/'K{E'). Remind this 
is a non-degenerate quadratic form. For / a function on E, we denote by Tr(/) the sum 
"^keZ/dZ f ° '''kT- It can be seen as a function on E' . Our goal is to compute Tr(uo,kT), 
Tr(itfcU;) and Tr(tifcx) as linear combinations of 1, x' and y' . We then deduce an explicit 
formula for the determinant of the trace form. 
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2.1.4.1. Traces of uo,kT- For 1 < A; < d — 1, we set Cfc = Tr(uo,fer) • It is proven in [9, Section 
4.2] that 

ci = Tr{uo,T)= Yl r^+i-ai. (14) 

Assume k, I and k + / are non-zero in Z/dZ, then Tr{uo^(k+l)T) = Tr(^to,fcr) + Tr(uo,ir) — 
dTk,k+l ■ Thus, 

Ck+l = Ck + Q - dVk^k+i ■ (15) 
This formula enables us to compute all the Ck for l^/c^d— 1, at the expense of 0{d) 
operations in K. Indeed, we first compute the coordinates {x{kT),y{kT)) for 1 ^ ^ d — 1. 
Then, using Eqs. (4) and (11), we compute for every 1 ^ k ^ d — 2. We then use 

Eq. (14) to compute ci. Finally, we use Eq. (15) repeatedly for Z = 1 and 1 ^ k ^ d — 2, and 
we deduce the values of C2, . . . , c^-i. 

2.1.4.2. Traces of ttfcU; . Assume first that k {—1,0,1}, so O, T, kT and (/c+l)T are pairwise 
distinct. Then 

UoUk = Uo,T{uo^[k+l)T — UO,kT + ^k,k+l) , 

= x + Ti^k+iUo,{k+i)T - ^i,k+iuo,T + x{T) + x{{k + 1)T) 
-X - Ti^kUo,kT + ^i,kUO,T - x{T) - x{kT) + Vk,k+iuo,T , 

= ^i,k+i{uo^(^k+i)T - uq.t) - ri,jk(uo,fcr - uo,t) 
+x{{k + l)T) - x{kT) + Tk,k+iuo,T . 

So 

-IviUoUk) = ri,fe+i(cfe+i - ci) - ri,fc(cfe - ci) + d{x{ik + 1)T) - x{kT)) + Tk,k+ici . (16) 
For A; = 0, we have Uq = x + xt — aiUo,r + x{T) + 02. And thus 

Tr{U^) = 2x' + d{x{T) + a2)-aiCi + 2 ^ x{lT) . (17) 

For k = —1, wc have 

UqU-I = UO,TU-T,0 = -UO,TUO-T " aiUO,T , 

= -{x + Fi _itto -T - Ti _itio,T + 02 + a;(T) + x{-T)) , 
= -X + Fi_i (u_T,o + 01) + Fi _iuo,T - 02 - 2x(r) . 

And thus 

Tv{UoU-i) = -x' + 2Fi _ici + d{aiTi_i - as) - 2dx{T) - ^ x(/r) . (18) 
Finally, for = 1, we have 

Tt{UoUi) = Tv{U.iUo) = TV(i7oC/-i) . (19) 



Now, for any k and I, we have 

TT{ukUl) 

We set 



= TtiUkUi) + b^d + 2abci 
tk = Tr{uoUk) . 



(20) 
(21) 
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This is a polynomial in x' with degree one if k G {—1,0, 1}, and zero otherwise. We denote 

by T the vector (efc)^^^/^^. 

Assume now we are given a non-zero point A G £^'(K). For every k in Z/dZ, we write 

efe = efe(^) . (22) 

We can compute the vector ~e = {ek)keZ/dZ the expense of 0{d) operations in K. We first 
compute the coordinates {x{kT),y{kT)) for 1 ^ A: ^ d — 1, the coefficients ry^^fc+i for every 
1 ^ k ^ d — 2 and the for 1 ^ A; < d — 1 as explained in Section 2.1.4.1. We then compute 
the Ti^k for 2 ^ ^ d - 1 using Eqs. (4) and (11). Then, we use Eqs. (16), (17), (18), and 
(19) to compute the values of the Tr([/oC^fe) at A. Finally, we use Eq. (20) to deduce ~e. 
2.1.4.3. Traces of xuk- For k {—1,0}, we have 

xUk = X0UkT,{k+l)T , 

= Tk,k+ix + x{{k + l)T)wo,(fc+i)T - x{kT)uo,kT + 
y{{k + l)r) - y{kT) + ai{x{{k + 1)T) - x{kT)) . 

And thus, 

TtixUk) = Tk,k+i{x'+ Yl x{lT)) + x{{k + l)T)ck+i-x{kT)ck + 

d{y{{k + l)r) - y{kT) + ai{x{{k + 1)T) - x{kT))) . (23) 

For A; = 0, we have 

xUo = xouo,T = y + x(T)uo,T + y{T) + aix(T) + 03 . 

And thus, 

T,{xUQ) = y' + x{T)ci + d{y{T)+aix{T) + a^)+ ^ y{lT) . (24) 

l^l^d-l 

For k = —1, we have 

xU-i = xou-T,o = -y- aix + x{T)u-T,o + viT) + aix(T) . 

And thus, 

TV(x[/_i) = -y'-aix' + x(r)ci + d(y(r) + aix(r))- ^ {y{lT) + aix{lT)) . (25) 

l^Kd-l 

We set 

Uk = Tr{xuk) = aTr{xUk) + b{x' + ^ x{lT)) . 

i^i^d-i 

This is a polynomial in x' and y' with total degree at most 1. The vector ~ii = {uk)kez/dz is 
the coordinate vector of x in the dual basis of {uk)k&'L/di- Remind we are interested in the 

coordinates of x in the basis {uk)kez/dz itself. Call u = {iik)kei./dz these coordinates. We 
have 

TT = * u . (26) 
Assume now we are given a non-zero point A G E'(K). For every k in Z/dZ, we write 



Lk = Uk{A) and tk = Uk{A). 



8 JEAN-MARC COUVEIGNES, TONY EZOME, AND REYNALD LERCIER 

We can compute the vector ~l = {ik)k&/dZ expense of 0{d) operations in K. Then, 

using Eq. (26), we can compute the vector t = {ik)k&/dZ the expense of one division in 
the degree d convolution algebra over K. This boils down to c?(log(i)^loglog(i operations in 
K. 

2.1.4.4. The trace form. We now study the trace form in the basis {uk)k£Z/dZ- 
The matrix (Tr(ujkUi))^ ; = {zi-k)k i circulant and its determinant is 

D=\T,{ukUi\^i= n E (27) 



where C is a primitive d-th root of unity (that is C'^ = 1 and — 1 is a unit for every 
We compute 

^1= T^{w) = T^{uo Y «0 = 1^M = 1- 

Using Eqs. (16), (17), (18) and (19), we deduce that D is a degree ^ d— \ polynomial in x' 
and the coefficient of (x')*^"^ is 

lj2d-2 TT I'o /-k /—k\ 2(i-2^2 



n (2-C'^-C-') = a2 



Since = e_fc for every k G Z/dZ, we deduce from Eq. (27) that D is a square. 

We now assume that d and the characteristic of K are coprime. So the degree of D{x') is 
d—1. From Lemma 1 , we deduce that the roots of D are the abscissae of points in the kernel 
of the dual isogeny I' : E' ^ E and they all have multiplicity two. Using Eq. (7), we deduce 

i;r{x)D{x') = a'^-'i^jix) , (28) 

where 

Mx)= n {x-x{kT)) (29) 

l<fe<(d-l)/2 

is the factor of ipd{x) corresponding to points in the kernel of I. 

2.1.4.5. Example. We detail on a simple example how to construct a ring of elliptic periods. 
Following [9], we consider the elliptic curve E of order 10 defined by 

E/Fj :y^ + xy + 5y = x^ + 3x^ + 3x + 2. 

The point T = (3, 1) generates a subgroup T C E(¥y) of order d = 5. The quotient elliptic 
curve E' = E/T given by Vein's formulae has equation 

E' /W-j :y^ + xy + 5y = x^ + 3x^ + 4x + 6, 

and the quotient isogeny is 

'x^ + 2x2 + 5x + 6 



I : {x, y) ^ (x', y') = ^ 



x4 + 3 x2 + 4 ' 

(x*^ + 4 x^ + 3 x^ + 6 x^ + 3 X + 4) y + 3 x^ + x^ + x^ + 3 x^ + 4 X + 1 ' 

x6 + x^ + 5 x2 + 6 
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We focus first on Tr{uo,t)- We have 

+ 2 y + 2 y y + G\ 

A direct but heavy calculation yields 

_ y + 2 y + 2x^ + 5 5 6yx + 3y + 2x^ + 3x 6y + 6x + A _ 
~ x + A ^ a;2 + 5 ^ x + 3 ^ {x^ + 5){x + 4) ^ x + 4 ~ ' 

Alternatively, if we first compute ri.2 = 2 , r2,3 = , r3^4 = 2 , we more easily come to 
Cl = 2 + + 2 — 1 = 3. From Eq. (15), we deduce C2 = 3 , C3 = 6 , C4 = 6. 

Let us now consider Tt{Uq). A direct calculation yields 

Tr(n^\ - + , {y + 2x' + 5)^ 52 , 



(a; + 4)2 (,t2 + 5)2 (x + 3)2 

(6y(x + 3) + 2x3 + 3x)2 (6y + 6x + 4)2 
(x2 + 5)2(x + 4)2 ^ (x + 4)2 
_ 2x5 + 6x^ + x2 + 3x + l 
~ x4 + 3 x2 + 4 ■ 

But we can easily deduce from Eq. (17) that this is equal to 

2 x' + 5 (3 + 3) -1.3 + 2 (3 + 4 + 4 + 3). 



+ 



If we now look more carefully at Tr(x J7o)) we have 

y + 2 3y + 3x2 + 4x + 2 2/ + 2x2 + 5 

Tr(x(7o) = X. -H ^ . ^ h 

^ ^ x + 4 x2 + x + 2 x2 + 5 

2y + 4x2 + 3x + 5 5 

x2 + 6x + 2 x + 3 

5 y(x + l)+4x3 + 6x2 + 5x + 6 6j/x + 3j/ + 2x3 + 3x 

(x2 + 6x + 2) (x + 3) ■ (x2 + 5) (x + 4) 

4y + 3x2 + x+l 6y + 6x + 4 

x2 + x + 2 x + 4 ' 

_ y(x6 + 4x'^ + 3x3 + 6x2 + 3x + 4)+2x6 + 3x5 + 3x^ + x3 + 6x2 + 4x + 6 

~ x6 + x^ + 5 x2 + 6 

But, from Eq. (24), we find that this is equal to 

+ 3. 3 + 5 (1 + 1. 3 + 5) + (1 + + 5 + 5). 



Let us finally notice that since ci = 3 7^ 0, we can take a = 1/ci = 3 and b = (see 
Section 2.1.3). Moreover, let now A = (4,2) G E'{¥-j). Take B G El^i) such that I{B) = 
A. We set r = x{B) G F7 and check that r is a root of the irreducible F7-polynomial 
(x^ + 2x2 + 5x + 6) -4(x^ + 3x2 + 4) = x^ + 3 x^ + 4x2 + 5 x + 4 . We find that 

^ = (0,4,0,0,4). 
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2.2. Universal Weierstrsiss elliptic curves. All identities stated in Section 2.1 still make 

sense and hold true for an elliptic curve over a commutative ring under some mild restrictions. 
Some (but not all) of these identities are proven in this general context in Vein's thesis [25] 
and Katz and Mazur's book [13, Chapter 2]. In this section, we give an elementary proof for 
all the required identities. We consider in Section 2.2.2 a sort of universal ring for Weierstrass 
curves with torsion. This ring being an integral domain, the identities hold true in its fraction 
field. There only remains to check the integrality of all quantities involved. By inverting the 
determinant of Eq. (27), we define in Section 2.2.3 a localization of the universal ring where 
the system {uk)kez/dZ remains a basis for the function ring extension associated to the isogeny. 

2.2.1. Division polynomials. Let Ai, A2, A3, A4 and Aq be indeterminates and set B2 = 
Al + 4^2, B4 = 2A4 + A1A3, Be = Al + 4^6, = AjAe + 4A2A6 - A1A3A4 + A2AI - Al, 
and 

A = -B^Bs - 8BI - 27 Bl + 9B2B4^Bq . 

Set 

Al = Z[Ai, A2, A3, A4, Ae, ^] . 

Let X and y be two more indeterminates. Set 

A(Ai, A2, A3, A4, Ae, X, y) = y^ + A^xy + A^y - - A2X^ - A^x - Ae e Ai[x, y] . 

Let £^aff be the affine smooth plane curve over Ai with equation A(Ai, A2, A3, A4, AQ,x,y) = 0. 
Let E be the projective scheme over Al with equation Y^Z + AiXYZ + A3Y Z'^ = + 
^2^2^ + A^XZ'^ + AqZ^. We denote by O the section [0, 1, 0]. We have E^q = E-O and 
E is an elliptic curve over (the spectrum of) Ai in the sense of [13]. 

For every integer A; ^ 0, we denote by ^^(Ai, A2, A3, A4, AQ,x,y) the functions in A.i[x, y]/(A) 
defined recursively as in [10, Prop. 3.53]: 



tpo = 0, Vi = 1, V'2 = % + Aix + A3, 
t/,3 = 3x^ + B2X^ + 3B4x'^ + SBgx + Bg , 

tp4 = 1p2 (2X^ + B2X^ + ^BiX^ + lOSgX^ + 10^8x2+ 

(^258 - ^4^6)3; + B^Bs - Bl) , 

1p2k = ^ (^fe+2^fc-l - 1pk-2lpk+l) > 

These are in Ai[x, y]/(A) but we can see them as polynomials in Ai[x,y] with degree 

or 1 in y. If k is odd, then ipj^ belongs to A.i[x] and, as a polynomial in x, we have 

fe^— 1 fc^— 3 

ipk = kx^^ + 0(x^^). If k is even, then belongs to Ai[x]. The ring Ai[x, y]/(A) is 

an integral domain. Following [10, Prop. 3.52, Prop. 3.55], we define the following elements 
of its field of fractions: 



V'fe+iV'fc- 



9k = X- ^2 



k 

2 



hk = y+^^^^+(3x^ + 2A2X + A4-A,,)^:^^ 
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The following important relation holds true: 

We recall that multiplication hy k on E — E[k] is given by (x, y) ^ {gk, hk). Indeed, this is 
well known on the generic fiber of E and it extends to all E by (Zariski) continuity. 



9k-9l = -^^^:^ iik>l^l. (30) 



2.2.2. Universal Vein's isogenies. Let d ^ 3 be an odd integer and let "x(r)" and "y{T)" be 
two more indctcrminates. Let S be the multiplicative subset in Ai[x{T),y{T)] generated by 
all ipk{x{T),y{T)) for l^k^d-1. Let Ad be the ring 

Ad = Ai[x{T),y{T),^,^]/{Mx{T)),A{AuA2,As,A^,Ae,x{T),y{T))). 

This is an ctalc algebra over 1/5]. Since the later is a regular ring, Ad is regular 

too. This is also an integral domain. Indeed, the d-torsion of the generic Weicrstrass curve is 
irreducible. We denote by Kd the field of fractions of Ad- The point T = {x{T),y{T)) defines 
a section of E'aff over Ad- The curve E, base changed to Ad, may be seen as the universal 
Weierstrass elliptic curve with a point of exact order d over a ring where d is invertible. 

For every integer k such that 1 ^ fc ^ d — 1, the point kT defines a section of E over Ad- 
We call x{kT) and y{kT) its coordinates and we have 

xikT) = gkiAi,A2,A3,A4,Ae,xiT),y{T)) eAd, 

y{kT) = hk{Ai,A2,As,A4,Ae,x{T),y{T))eAd- 

Wc note that due to Eq. (30), the difference x{lT) — x{kT) is a unit in Ad for any k and / 
in TLjdTL such that k, I, k + I and k ~ I are not zero. If we base change E to /C^, we obtain 
an elliptic curve over a field and we can introduce all the scalars and functions of Section 2.1: 
the Ffe,/, the Xk, yk, Uk, x', y', W4, we, Ck- - .The denominators arising in the definition of 
these scalars and functions are units in 

Ad [E - E[d]] = Ad[^^,x, y]/(A(^i, ^2, ^3, A4, Ae, x, y)) . 

Vd{X) 

So all these scalars (resp. functions) are in Ad (resp. Ad [E — E[d]]). Especially, we can now 
define the isogenous curve E' thanks to Eq. (8), then the isogenies I and /'. 

There remains to choose and b. We just take a = 1 and b = (1 — ci)/d. Then the 
functions = aU^ + b are in Ad [E — E[d]]. All equations from Eq. (11) to Eq. (29) still hold 
true because they are true in lCd{E) and Ad [E — E[d\] embeds in the later field. 

2.2.3. A normal basis. The open subset E — E[d] is the spectrum of the ring Ad [E — E[d\]- 
This is an integral domain and a regular ring (because it is smooth over Ad)- Therefore it is 
integrally closed. The open subset E' — Ker/' is the spectrum of the ring 

Ad [E' - Ker/'] = Ad[^yx', y']/(A(A'i, 4, A'„ A'„ A'„ x', y')) . 

This is again an integral domain and a regular ring (because it is smooth over Ad)- Therefore 
it is integrally closed too. Eqs. (1), (7), (28) and (29) show that Ad [E' — Ker/'] is included 
in Ad [E — E[d]]- Eqs. (1) and (7) prove that x and y are integral over Ad [E' — Ker/']. We 
deduce that the translates {xk)i^k^d-i and {yk)i^kr^d-i are integral over Ad[E' — Ker I'] 
too. Using Eq. (2), we deduce that the l/{x — x{kT)) are integral over Ad [E' — Ker/']. Note 
that in the special case d = 3, we also need Eq. (3). Now Eqs. (28) and (29) prove that 
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1/iI)cl{x) is integral over Ad [E' — Ker/']. Altogether Ad [E — E[d)^ is the integral closure of 

Ad[E' -Kei I'] in lCd{E). 

Using Eqs. (12) and (13) and the fact that the l/{x — x{kT)) are integral over Ad{E'— 
Ker/'], we show that the {uk)k£Z/dZ integral over Ad[E' — Ker I'], therefore belong to 
Ad[E — E[d]]. For every function / in ylcj [i? — /^[ci]], the products f uk arc integral over 
Ad [E' — Ker/']. Therefore their traces Tr(fuk) belong to Ad [E' — Ker/'], since this ring is 
integrally closed. Now remember that the determinant of the trace form is 

D{x') = |Tr(ufcuOlfc,i ' 

a unit in Ad [E' — Ker/']. We deduce that the coordinates of / in the basis {ukjkez/dz ^-i'^ in 
Ad [E' - Ker/']. We thus have found a basis for the Ad [E' - Ker /']-module Ad [E - E[d\\. 
This finite free module of rank d is also etale because the determinant D{x') of the trace form 
is a unit. 

Let a be the Ad [E' — Ker /']-automorphism of Ad [E — E[d\\ induced by the translation 
T-T- We have CF{uk) = itfc+i for every k G Z/dZ. 

Lemma 2 (A freeness result). The ring 

Ad [E - E[d\\ = Ad[-^,x, y]/(A(^i, ^2, ^3, ^4, Aq, X, y)) 

is a finite free etale algebra of rank d over 

Ad [E' - Ker/'] = Ad[^^,x', y']/{A{A[, A'^, A'„ A'^, A'^x', y')) 

and {uk)i^k4,d-i i'^ basis for this free algebra. For every k € Z/dZ, we have (j{uk) = Uk+i 
where a is the Ad \E' ~ Ker I']-automorphism of Ad [E — E[d]] induced by the translation T-t- 

The following theorem is proven by base change in Lemma 2. 

Theorem 1 (Elliptic Kummer extension). Let d ^ 3 be an odd integer. Let R be a ring where 
d is invertible. Let ai, a^, 03, 04, ag, y and t) be elements in R such that 

• A(ai, 02, 03, a4, ae) is a unit in R, 

• V'(i(ai>a2,a3,a4,a6,J,t)) = 0, 

• V'fc(fli) 03, 04, fl6) ?) 9) is a unit in R for any \ ^ k ^ d — 1. 

Then T = (p, tf) is a point of exact order d on the Weierstrass elliptic curve given by the 
equation y^ + a\xy + 03?/ = x^ -\- a-ix^ + 040; + over R. 

Set 0=1 and b = {1 — ci)/d and = aUk + b. Then all equations from Eq. (11) to 
Eq. (29) still make sense and hold true in the ring 

R[E- E[d\] = R[—^,x,y]/{A{ai,a2,a3,a4,ae,x,y)) 

and this ring is a finite free etale algebra of rank d over 

R [E' - Ker /'] = R[^^,x', y']/(A(a;, 4, a'3, a'^, a'g, x', y')) 

and {ui)i^i^d-i is a basis for this free algebra. 

For every k G "L/dli, we have cr{uk) = itfe+i where u is the R[E' — Kei I']-automorphism 
of R[E — E[d]] induced by the translation t-t- 
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2.3. Rings of elliptic periods. In this section, we give a recipe for constructing an extension 

of a ring R using an isogeny between two elliptic curves over R. The resulting ring will be 
called a ring of elliptic periods. It will be a finite free etale algebra over R. We just adapt 
the construction of [9, Section 4] to the case where the base ring is no longer a field. So in 
this section, i? is a ring and d ^ 3 is an odd integer. We assume that d is invertible in R and 
that we are given an elliptic curve E over R by its Weierstrass equation + aixy + a^y = 
+ 023;^ + a^x + gq where A(ai, 02, 03, 04, gq) is a unit in R. We also are given a i?-point 
T = (p, t)) on E with exact order d. We call I : E ^ E' the corresponding isogeny, given by 
Vein's formulae. Let D{x') = \ti-k\ki be the polynomial in R[x'] defined by Eqs. (27), (28) 
and (21). 

We further assume that we are given a section A = {x' {A).,y\A)) G E'{R) of E'^g — > 
Spec(i?). We assume that D{x'{A)) is a unit in R. Geometrically, this means that the section 
A does not intersect the kernel of the dual isogeny I' : E' ^ I. This is equivalent to the 
circulant matrix (c;_a;(^))/j ; being invertible. For every k in Z/dZ, we write = efe(A). 
This is an element of R. Saying that the circulant matrix {ei-k)j^i is invertible means that 
the vector ~e = {ek)kez/dz is invertible for the convolution product -k on R"^. We denote by 
"e^^"^) the inverse of ~e for the convolution product. The ideal {x' — x'{A),y' — y'{A)) of 
R[E — E[d]\ = R[x, y, l/t/j(i{x)]/ (A(ai, 02, 03, 04, qq, x, y)) is denoted ^a- We call 

S = R[x,y, -^—-]/{A{ai,a2,a3,a4,aG,x,y),^A) , 

the residue ring of I~^{A). We say that 5" is a ring of elliptic periods. If we specialize at A 
in Theorem 1, we find that 5 is a finite free etale i?-algebra with basis 6 = {Ok)ke'Z/dZ where 

9k = Uk mod ^A- 

We call a : S ^ S he the i?-automorphism induced on S by the translation r_T, 

a: S — > S, 

f mod ^A I — ^ / o T-T mod ^a ■ 

It is clear that cr{9k) = Ok+i for all A; G Z/dZ. So, if a = Ylkez/dz'^k^k element of S 

with coordinates "a = {c(k)k£Z/dZ € R"^ in the basis 0, then the coordinate vector of a{a) is 
the cyclic shift (j("a ) = (afe-i)feez/(iZ of Q^- We see that the i?- automorphism a : S" — > S* of 
the free i?-algebra S takes a very simple form on the basis Q. 

We call jC C R{E — E[d]) the i?-module generated by the Uk for k G Z/dZ. We know that 
reduction modulo ^a defines an isomorphism of i?-modules: 

eA- jC- — > S , 

f 1 — > f mod ^A ■ 

So elements in S can be represented by elements in C. 

We now study the multiplication tensor in S. We shall find a simple expression for this 
tensor using interpolation at some auxiliary points, in the spirit of discrete Fourier transform. 
We first notice that if fe, Z G Z/dZ and k ^ 1,1 + 1,1 — 1 mod d, then 

UkUi G C. 

This is proven using Eqs. (5), (9), and (13). Using Eqs. (5), (6), (9), and (13), we also 
show that 

Uk-iUk + a^Xk G jC and — a^Xk — a^Xk+i G £ . 
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So if {ak)k&'L/d'L and {Pk)kez/dZ are two vectors in R'^, we have 
C^akUk)C^l3kUk) = a^^akPk{xk + Xk+i) -a^'^ak-iPkXk-a^^Pk-iakXk'oaod/: 

k k k k k 

= 0^ '^{oik - ak-i){Pk - Pk-i)xk mod C. (31) 

k 

We now assume we are given an auxiliary section M = (x{M),y{M)) of E'afr Spec{R) 
such that the image N = I{M) of M by I is a section {x' {N),y' {N)) of E'^^ Spec(i?) and 
D{x'{N)) is a unit in R. So, the residue ring at I~^{N) is a free i?-module of rank d and the 
evaluation map 

ejv : C — > R'^ , 

f ^ ifiM + kT))kez/dZ- 

is a bijection. Also, the vector 

^ = {uo{M + kT))kez/dz (32) 

is invertible for the convolution product in R'^. We call un^~^'' its inverse. We denote by xn 
the vector 

= ejv(x) = (x(M + kT))k^z/dZ ■ (33) 

We note 

^k = Xk mod 

for every A; G 'Ljd'L. Since 5 is free over R and 9 is a basis for it, there exist scalars (ifc)fc in 
R such that 

So i = (ifc)fc is the coordinate vector of in the basis 9. In Section 2.1.4.3, we already 
explained how to compute these coordinates in quasi-linear time in the dimension d. 

Let a, /3 and 7 be three elements in S such that 7 = a/5. Let a = {oik)ke'L/d'L be the 

coordinate vector of a in the basis 9. Define fi and 7^ in a similar way. To compute the 
multiplication tensor, we use an argument similar to the one of [9, Section 4.3]. We define 
four functions in Ad [E — E[d)^, 

fa = am > //3 = X] ^^■"^ ' 

i i 
i 

n = faf/3-Q. 

The product we want to compute is fafp = Q + TZ mod 5a- Prom Eq. (31), we deduce that 

7?. is in £. Prom the definition of t , we deduce that the coordinates in 9 of Q mod are 
given by the vector 

The evaluation of fa at the points (M + kT)k is the vector ei^{fa) = u/v^'a. The evaluation 
of TZ is e]\j{TZ) = (uN'k~a)<>{uN-k (3 ) —XN-^{c?{'a — (T{~a))o{ (3 —a{P ))). If we ★ multiply this 
last vector on the left by un^~^\ we obtain the coordinates of TZ in the basis {uq, . . . , Ud-i). 
These are the coordinates of TZ mod ^a in the basis 9 too. 
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So the multiplication tensor in the /2-basis 6 of the free i2-algebra S is given by 
t = (o^T) * ((^ - a{^)) o - a{P))) + 

un'-'^^ * ({uN i<'a)o{uN*y)- (a^XN) * (^(a - aCa )) o(p - (34) 

This multiplication tensor consists of 5 convolution products, 2 component-wise products, 1 
addition and 3 subtractions between vectors in R^. 

The following theorem summarizes the results in this section. 

Theorem 2 (The ring of elliptic periods). Let d'^ 3 be an odd integer. Let R be a ring where 
d is invertible. Let ai, 0,2, 03, 04, a^, jc and t) be elem,ents in R such that A(ai, 02, 03, 04, ag) 
is a unit in R and the point T = (p, r)) is a point of exact order d on the Weierstrass elliptic 
curve over R given by the equation + a\xy + a^y = + a2X^ + 04^ + a^. Let I : E ^ E' 
be the Vein's isogeny with kernel (T) and let A = {x' (A) , y' (A)) G E'{R) be a section of 
E'^jj^ Spec(i?) that does not intersect the kernel of the dual isogeny I' : E' ^ I (equivalently 
D{x'{A)) is a unit in R). Let = ix' — x'{A),y' — y'{A)) be the corresponding ideal of 
R[E- E[d]] = R[x,y, l/V'd(a;)]/(A(ai, 02, 03, 04, ae, x, y)). Let 

S = R[x,y, l/7pd{x)]/{A{ai,a2,as,a,i,a,^,x,y),^A) , 

be the residue ring of I~^{A). Then S is a finite free etale R-algebra of rank d. If we call 
a : S ^ S the R- automorphism induced on S, by the translation T-t, then S is a free 
R[a]-module of rank 1. 

Using notations introduced from. Eg. (11) to Eg. (29), we set = 1, b = (1 — ci)/d, 
Uk = aUk + b and 6^ = mod ^a- Then cr{6k) = O^+i, and O = {Okjk&z/dZ ^•^ R-basis of 
S. If M = {x{M),y{M)) G E{R) is an auxiliary section that does not cross E[d], then the 
multiplication tensor of S in the basis @ is given by Eq. (34)- 

2.4. Example. Let i? be the ring Z/lOl^Z. We consider the elliptic curve S over defined by 
the Weierstrass equation ^/(Z/lOl^Z) : y^ = x^ + 55 x + 91 . Let T be the point (659, 8304) G 
£^/(Z/101^Z). This is a point with exact order d= 7. 

We first compute Ti^a = 5780 , r2,3 = 4390 , r3,4 = 3596 , r4,5 = 4390 and Ts^g = 5780 . 
We then find ci = 3534, and from Eq. (15), we deduce C2 = 7412 , C3 = 618 , C4 = 9583 , C5 = 
2789 and cg = 6667 . Moreover ci is a unit in R and we set = 1/ci = 6665 and b = 0. 

We compute the quotient elliptic curve E' = E/{T) thanks to Vein's formulae. This 
yields the curve E'/{Z/101^Z) : y^ = x^ + 6725 x + 6453 . Let A be the point (1373, 1956) G 
£;'(Z/101^Z). This is a point with exact order 14. 

We can efficiently compute traces of UkUi evaluated at A with Eqs. (16), (17), (18), (19) 
and (20). We find 

"e = (9428, 6046, 1946, 2596, 2596, 1946, 6046) . 
This vector is invertible for the convolution product in R'^ and its inverse is 

-g^(-i) = (3392, 3344, 10161, 101, 101, 10161, 3344) . 
We now compute traces of xuk evaluated at A with Eqs. (23), (24), (25) and (26), and find 

T = (10063, 4509, 6660, 4259, 6660, 4509, 138) . 
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We finally obtain 

T = = (7790, 6555, 2470, 2741, 4358, 2047, 636) . 

Let us consider the additional evaluation point M = (8903, 4033) G ^(Z/lOl^Z). We check 
that (cfc(A^))fc where N = /(M) is invertible for the convolution product in R^. So N does 
not cross the kernel of the dual isogeny. Then Eq. (33) yields 

a^i^ = (2742, 2044, 649, 2348, 7216, 9732, 7464) . 
Similarly, Eq. (32) yields 

UN = (1029, 7201, 10176, 1807, 4875, 3261, 2255) . 

And therefore, u^^'^^ = (7790, 1761, 3889, 6998, 5866, 1090, 3210) . 

Now, let us make use of these precomputations to, for instance, compute 6q with Eq. (34). 
We thus start from a = (1, 0, 0, 0, 0, 0, 0) , and we first compute 

u^i.'a = (1029, 7201, 10176, 1807, 4875, 3261, 2255) , 

and 

a^x^ * (("a - aCa )) o ("a - ))) = (5, 4786, 2693, 2997, 9564, 6747, 6995) . 

Thus, 

UN^~^^ * ({uN •k'a)o {uN * P) — (o^xn) * (^(a — aCa)) o ( /3 — cr(/3))^^ = 

(8133, 8133, 8133, 8133, 8133, 8133, 8133) . 

It follows, 

(o^T) * (("a - aCa )) o (^ - a{P))^ = (6406, 4952, 8520, 969, 8109, 7516, 7834) , 
and finally 

~j = (4338, 2884, 6452, 9102, 6041, 5448, 5766) . 

3. An ELLIPTIC AKS criterion 

Agrawal, Kayal and Saxena have proven [1] that primality of an integer n can be tested 
in deterministic polynomial time {logn)~2"^°^^\ Their test, often called the AKS test, relies 
on explicit computations in the multiplicative group of a well chosen free commutative R- 
algebra S of finite rank, where R = TLjnL. More precisely, they take for S the cyclic algebra 
R\x\l{x'^ — 1) where r is a well chosen, and rather large, integer. 

Lenstra and Pomerance generalized this algorithm and obtained the better deterministic 
complexity (log ri)6+"(i) [16]. The main improvement in Lenstra and Pomerance's approach 
consists in using a more general construction for the free commutative algebra 5*. As a 
consequence, the dimension of S is much smaller for a given n, and this results in a faster 
algorithm. A nice survey [24] has been written by Schoof. 

Berrizbeitia first [6], and then Cheng [8], have proven that there exists a probabilistic 
variant of these algorithms that works in time (logra)''"'"''*^^^ provided n — 1 has a divisor d 
bigger than (log2n)^ and smaller than a constant times (log2n)^. Avanzi and Mihailescu [4], 
and independently Bernstein [5] , explain how to treat a general integer n using a divisor d of 

— I instead, where / is a small integer. The initial idea consists in using i?-automorphisms 
of S to speed up the calculations. In these variants, the free commutative i?-algebra S has 
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to be constructed in such a way that a non-trivial i?-automorphism a : S ^ S is effectively 

given, and can be efficiently applied to any element in S. 

All the aforementioned algorithms construct 5 as a residue ring modulo n of a cyclotomic 
or Kummer extension of the ring Z of integers. In this section, we propose an AKS-like 
priniality criterion that relies on Kummer theory of elliptic curves. The main advantage of 
this elliptic variant, compared to the Berrizbeitia-Cheng-Avanzi-Mihailescu-Bernstein one, is 
that it allows a much greater choice for the value of d, since there exist many elliptic curves 
modulo n. We are not restricted to divisors of 77, — 1. We can use any d that divides the 
order of any elliptic curve modulo n. In particular, we avoid the complication and the cost 
coming from the exponent / in ra-'^ — 1. The algorithm remains almost quartic both in time 
and space. However, we heuristically save a factor (loglogn)'^(^°s'°s^°s'°s") in the complexity. 
Prom a practical viewpoint, it might be worth choosing for d a product of prime integers of 
the appropriate size, depending of ones implementation of fast Fourier transform. 

Section 3.1 gathers prerequisites from commutative algebra. In Section 3.2, we describe a 
rather general variant of the AKS primality criterion: it makes uses of a free i?-algebra S of 
rank d together with an i?-automorphism a : S ^ S oi order d. We recall how this algebra 
can be constructed from multiplicative Kummer theory as in [6]. In Section 3.3, we state and 
prove a primality criterion involving rings of elliptic periods. The construction of such rings 
is detailed in Section 3.4. 

3.1. Etale cyclic extensions of a field. Let K be a field and let L D K be a commutative 
algebra over K. We assume L is of finite dimension d ^ 1 over K. We also assume there 
exists a K-automorphism cj of L and a K-basis {ooiji^z/ca of L such that (7{i^i) = <jjj+i. So L 
is a rank 1 free K[^]-module, where ^ =< a > is the cyclic group generated by a. And ujq 
is a basis of the K[^]-module L. In this section, we recall a few elementary facts about the 
arithmetic of L. 

First, L is a noetherian ring, because it is of finite type over the field K. Further K is the 
subring of elements in L that are invariant by a. We deduce [7, Chapitrc 5, paragraphe 
1, numero 9, proposition 22] that L is integral over K. Let p be a prime ideal in L. The 
intersection p HK is a prime ideal in K, so it is equal to 0. Since is maximal in K, the ideal 
p is maximal in L [7, Chapitre 5, paragraphe 2, numero 1, Proposition 1]. Thus L is a ring of 
dimension 0. Since L is noetherian, it is an artinian ring [7, Chapitre 4, paragraphe 2, numero 
5, Proposition 9]. Its nilradical 91, which is equal to its Jacobson radical, is nilpotent. The 
automorphism a acts transitively on the set of prime ideals in L [7, Chapitre 5, paragraphe 2, 
numero 2, Theoreme 2]. We denote by (resp. Q"^) the decomposition group (resp. inertia 
group) of all these prime ideals. Let e ^ 1 be the order of the inertia group , and let / be 
the order of the quotient /Q'^ . We check that d = efm where m is the number of prime 
ideals in L. Let po, pi, ... , pm-i be all these prime ideals. They are pairwise relatively prime. 
The radical of L is 

^= n n p^- 

The canonical map 

<^ : L ^ n L/pi 

O^i^m— 1 

is a ring epimorphism and its kernel is the radical OT. For every i in {0, 1, . . . ,m — 1}, the 
quotient /G^ is isomorphic to the group of K-automorphisms of the residue field Mj = L/pj 
[7, Chapitre 5, paragraphe 2, numero 2, Theoreme 2]. The field extensions Mj of K are normal 
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and their separable degree is /. Let r be their inseparable degree. The dimension of the K- 
vector space Mj is rf. Wc deduce that the dimension of no<i<m-i •'-'/P* rfm. And the 
dimension of the radical is 

dimK(^) = d — rfm = (e — r)fm. (35) 

The radical ^ is nilpotent: there exists an integer k such that = 0. The artinian ring 
L is isomorphic [3, Theorem 8.7] to the product of local artinian rings no<i<m-i ^/Pi- 

One says that the algebra L is unramified over K [18, Chapter 4, Definition 3.17] if the 
residue fields L/pj are separable extensions of K (that is r = 1) and the local factors L/p^ 
are fields (e.g. the nilradical is zero or equivalently e — r = 0). This is equivalent to L being 
etale over K, e.g. the trace form being non-degenerate. 

A sufficient condition for L to be unramified over K is that for every prime divisor d. oi d 
there exists an element in L such that a^^^{a£) — ap is a unit. Indeed this proves that a^^^ 
does not lie in . So e = 1. And r = 1 also, using Eq. (35). 

Assume now K is a finite field and L is reduced (therefore etale over K). Remember pO) 
pi, . . . , pm-i are the prime ideals in L. The Frobenius automorphism $j of Mj = L/pj is the 
reduction modulo pi of some power cr^* of a lying in . Especially, for every a in L, one has 
cr^°(a) = aP mod po for some integer zq. We let a act on the above congruence and deduce 
that Zq = zi = ■ ■ ■ = Zd-i because u acts transitively on the set of primes. So there exists an 
integer z such that for every element a in L we have 

aP = a^a) . (36) 

Of course, z is a multiple of m. 

3.2. Ring extensions and primality proving. Let n ^ 2 be an integer and set R = Z/nZ. 
In this section, we state a general AKS-like primality criterion in terms of the existence of 
some commutative free i?-algebra S of finite rank fulfilling simple conditions. 

Let S" D i? be a finite free commutative i?-algebra of rank d^ 1. Then R can be identified 
with a subring of S. Let cr : 5 ^ S" be an i?-automorphism of S and assume that there exists 
an R basis {ijJi)i^z/dZ of S such that cr{LVi) = Wj+i. Let p be a positive prime integer dividing 
n. Set L = S/pS and K = R/pR = Z/pZ. Assume L is reduced. This is always the case 
when S is etale over R [18, Chapter 4, Definition 3.17, Lemma 3.20]. The i?-automorphism 
a : S ^ S induces a K-automorphism of L that we call a also. Let 6' be a unit in S such that 

r = a{e) . 

Reducing this identity modulo p and setting a = 6 mod p G L, we obtain 

o" = a{a) . (37) 

Using Eqs. (37) and (36) repeatedly, we prove that there exists an integer z such that for 
A;, Z G N, we have 

^nV = a''+^\a). (38) 

Let p be a prime ideal in L and set M = L/p. Set b = a mod p G M. Let G C L* be the 
group generated by a and let i7 C M be the group generated by b. We first show that the 
reduction modulo p map G — > i7 is a bijection. Indeed, let A; be a positive integer such that 
fe'^ = 1 € M. Then = 1 mod p. We raise both members in this congruence to the n-th 
power. Using Eq. (37), we find o,'^" = a"^ = a{a)^ = cr(a^) = 1 mod p. So a*' = 1 mod cr~^(p). 
We remind that a acts transitively on the set of primes in L. So is congruent to 1 modulo 
all these primes. Since L is reduced, we deduce that a'^ = 1. 
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The group H is a, subgroup of M* . Therefore the order h of H (which is the order of G 
also) divides — 1 where / is the dimension of M over K. It is thus clear that p and 
are coprime. Iterating d times Eq. (37), we find that a"'' = a. So n also is invertible modulo 
h = #G = #H. So Eq. (38) makes sense and holds true for k and I in Z, provided the 
exponents are seen as residues modulo h. 

We set q = n/p and from Eqs. (37) and (36), we deduce that a'^ = a^~^(a) . Moreover, there 
exist four integers i, i', j and f in {0, 1, . . . , L\/dJ} such that (i, j) ^ {i' and i(l — z) + jz 
is congruent to — z) + j' z modulo d. Setting in Eq. (38), first k = i and I = j — i, and 
then k = i' and I = j' — i', we find that exponentiations by q'^p' and p' act similarly on a. 
We deduce that 

gV = /y' mod #G. (39) 
We now observe that both integers q^p' and (/*V' are bounded above by n^^^ . If 

then Congruence (39) is an equality between integers and we deduce that n is a power of p. 

Theorem 3 (AKS criterion). Let n ^ 2 be an integer and set R = Z/nZ. Let S R he a free 
algebra of rank d over R. Let a be an R- automorphism of S. Let Q be the group generated 
by a. Assume S is a free R[Q]-module of rank 1: there exists an element u in S such that 
{uj, a{u>), . .. , a'^~^{uj)) is an R basis of L. Let 6 be a unit in S such that 6"' = cr{9). Let p be 
a prime divisor of n. Assume S/pS is reduced and 9 mod p generates a subgroup of order at 
least nl-^J in (S/pS)* . Then n is a power of p. 

The condition that S/pS is reduced is granted if S is ctalc over R. A sufficient condition 
for S to be etale over R is that for every prime divisor £ of d, there exists an element in S 
such that a^l^(ae) — is a unit. 

The condition on the size of the group generated by Q mod p is often obtained with the help 
of geometric arguments. In our cases, these are degree considerations, which yield a lower 
bound for d. 

Berritzbeitia, Cheng, Avanzi, Mihailescu and Bernstein construct 5 as R\x\l{x'^ — a) where 
(i ^ 2 divides n — 1 and a is a unit in R. We set n — 1 = dm and C, = a™. Assume C, has 
exact order d in i?*. This means that Cf- = \ and — 1 is a unit for every \ ^k < d. We 
define an R automorphism o" : S" ^ S" by setting (y{x) = C,x. Wc set = (a — l)/(x — 1) = 
1 + X + + • • • + x'^^^ mod x"^ — a and we check that (w, (7(0;), . . . , a'^~^{io)) is an i?-basis 
of S. Indeed (l,x,x^, . . . ,x'^~^) is a basis, and the matrix connecting the two systems is a 
Vandermonde matrix 1^(1, ■ ■ ■ 1 C^"^) which is invertible since C, has exact order d. So S is 
a free i?[(T] -module of rank 1. 

We note that x mod x'^ — a is a unit in S because a is a unit in R. For every integer 
1 < < d, the difference g^{x) — x = (J^ — V)x is a unit in 5, because C, has exact order d. So 
S is etale over R. The main computational step in Berrizbeitia test is to check, by explicit 
calculation, that the following congruence holds true in S", 

{x - 1)" = Ca; - 1 mod (n, x'^ - a) . (40) 

So, we set = x —\ mod in^x'^ — a). This is a unit in S because a — 1 is a unit in R. 
Letting a repeatedly act on Eq. (40), we deduce that for any positive integer k, the class 
('^x — 1 mod (n, x*^ — a) is a power of 9. 
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Let p be any prime divisor of n. We set a = 9 mod p = x — 1 mod {p, x'^ — a) E S/pS. We 
show that the order of a in (S/pS)* is large. For every subset S of {0, 1, . . . , c?— 1}, we denote 
by as the product 

HiC'^x - 1) mod {p,x'' - a) = n ^'(«)- 
kes kes 
This is a power of a, because every a'^{a) is. Degree considerations similar to those in the 
original paper [1] show that if Si and ^2 are two strict distinct subsets of {0, 1, . . . , d — 1}, 
then and are distinct elements in S/pS. So the order of a in {S/pS)* is at least 2*^ — 1. 
This lower bound can be improved by several means (see for instance Voloch's work [27]). 
If 2*^ is bigger than nL^J, we deduce from Theorem 3 that n is a prime power. 

Corollary 1 (Berrizbeitia criterion). Let n ^ 3 be an integer and set R = TLjnL. Let 
S = R[x]/{x'^ — a) where 2 divides n — 1. Set n — 1 = dm and assume C = a™ has exact 
order d in R* . Assume Eq. (40) holds true in S. If 2'^ is bigger than nL^J, then n is a prime 
power. 

In Section 3.3, we adapt this construction to the broader general context of Kummer theory 
of elliptic curves. This way, we get rid of the condition that d divides n — 1. 

3.3. A primality criterion. In this section, we state and prove a primality criterion in- 
volving elliptic periods. Assume we are given an integer n ^ 2. We set R = Z/nZ and we 
assume we are in the situation of Theorem 2. We are given a Weierstrass elliptic curve E 
over i?, a positive integer d relatively prime to 2n and a section T G E{R) of exact order d. 
The quotient by (T) isogeny I : E ^ E' is given by Vein's formulae. We are given a section 
A e E'^fi{R) and we call 

Sa = {x' -x'{A),y' -y'{A)) 
the ideal of I~^{A) in y, l/-0d(a;)]/(A(ai, 02, as, 04, ae, x, ?/)). We assume that D{x'{A)) 
is a unit in R, where D is defined in Eqs. (27), (28) and (29). Let 

S = R[x, y, l/M^)]/{x' - x'{A),y' - y'{A)) 

be the residue ring of R[x,y,l/il^d{x)]/{^{ai,a2,a3,a4,ae,x,y)) at I~^{A). 
We call a : S ^ S the automorphism induced on S by the translation t-t- 

a: S — > S, 

f mod ' — > f o T-T mod ■ 

For k G Z/dZ, we set 9k = Uk mod ^a- The {9k)kez/dZ form an i?-basis of S and we have 
a{9k) = 9k-\-i. The algebra S is finite free etale of rank d over R because the determinant 
D{x'{A)) of the trace form is a unit. The main computational step now is to check, by explicit 
calculation, that the following congruence holds true in S, 

9^ = 9i . (41) 

Letting a repeatedly act on Eq. (41), we deduce that for any k G Z/dZ, 9k is a power of 
9q. In particular, all 9k belong to the ideal generated by ^o- Using Eq. (10), we deduce that 
1 = '^k&/dZ belongs to the ideal generated by ^o- So 9o is a unit. 

Let p be any prime divisor of n. We set a = 9q mod p G S/pS. We show that the order of 
a in (S/pS)* is large. To every subset S of Z/dZ, we associate the product 

keS 



ELLIPTIC PERIODS AND PRIMALITY PROVING 



21 



We note that us mod {dA,p) = Ylkesi^k modp) is a power of a. Let Si and S2 be two 
subsets of 

{0,2,4, ...,f3!- 3} C Z/dZ. 
Let li and I2 be two integers that are relatively prime to p. Then hu^-^ / hus2 mod {^a,p) 
unless (Si = S2 and Zi = I2 mod p. Indeed, if lius^ = I2US2 mod {^a,p) then /lU^j — I2US2 mod 
p is a function on £' mod p with divisor ^ — X^fegz/^zl^*] cancels on the degree d divisor 

I~^[A) mod p. So lius^ = ^2^i52 mod p. Therefore these two functions have the same poles. 
We deduce first, that Si = ^2, and then, that li = l2- 

There are 2^ subsets of {0, 2, 4, . . . , d — 3}. So, the order of a in (S/pS)* is at least 2^ . 

Using Theorem 3, we deduce the following primality criterion. 

CoroUsiry 2 (Elliptic AKS criterion). Let n ^ 2 be an integer and let E be a Weierstrass 
elliptic curve over R = Z/nZ. Let T G E{R) be a section of exact order d where d is an 
integer relatively prime to 2n. Let E' be the quotient E/{T) given by Velu's formulae. Let 
A G E'^^R) be a section such that the vector ~e = {^^{A))^^ defined by Eq. (22) is invertible 
for the convolution product -k on R'^. 
Assume that 

{e^T = Oi (42) 

holds true in the ring of elliptic periods S = R{x,y, l/'4)d{x)\/{x' — x'{A),y' — y'{A)). 
Assume further that 

2^ ^ n^. (43) 

Then n is a prime power. 

We recall that the condition that the vector ~e be invertible means that the section A does 
not cross the kernel of the dual isogeny I' : E' ^ E. Checking Eq. (42) requires O(logn) 
multiplications in the ring S. Any such multiplication requires 0((ilog(iloglog(i) operations 
(additions, subtractions, multiplications) in i? = Z/nZ. So the total cost is 

0((logn)^(loglogn)^+°(^^ x d log d log log d) 

elementary operations using fast arithmetic [22, 23]. In Section 3.4, we explain why one can 
hope to find a degree d that is 0((logn)^). With such a d, one can verify Eq. (42) in time 

0((logn)^(loglogn)2+"(i)). 
Moreover, we explain how to construct the ring S in Corollary 2. 

3.4. Construction of a ring of elliptic periods. In this section, we explain how to con- 
struct the ring of elliptic periods that is required to prove that a given integer n ^ 2 is prime 
using Corollary 2. So, we are given an integer n ^ 2 which is probably prime: it already 
passed many pseudo-primality tests. We want to construct a ring of elliptic periods modulo 
n with rank d for some d satisfying Inequality (43). A sufficient condition is that d ^ dmin 
with 

dmin = r4(log2 + 2] . 

We assume that d is odd too. Wc like d to be as small as possible. Wc set di„ax = d,nin x 0(1) 
and ask that d G [dmin, dmax]- The construction is probabilistic and relies on several heuristics. 
Since n is probably prime, we shall allow ourselves to use algorithms that are only proven to 
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work under the condition that n is prime. This is not an issue as far as we can check the 
result rigorously (and efficiently). 

We set R = Z/nZ. We want to construct an elliptic curve E over R with a section T G E{R) 
of exact order d in the sense of [13, Chapter 1, 1.4]. We use complex multiplication theory. 

The first step of the algorithm selects quadratic imaginary orders. Wc look over the maximal 
quadratic imaginary orders O for decreasing fundamental discriminants —A. We start with 
—A = —7. For each order O, we first look for a square root 5 of —A modulo n using 
the algorithm of Legendre. Since n is expected to be prime, the algorithm will succeed in 
probabilistic time (logn)^(loglogn)"'^^"^^\ And of course we can check the result rigorously 
in time (logn) (loglogn)^"'""^^^. For a given n, such a square root exists for one quadratic 
order over two. If we fail to find such a square root, we go to the next quadratic order. 

Once we have found a square root d of —A modulo n, we call n the ideal {n, ■sf—A — S) in 
O and wc look for an element with norm n in n. We use fast Cornachia's algorithm. It runs 
in deterministic time (logn) (log log n)^^"*^^) and finds such an clement ^ O when it exists. 

We then set t = Tr(^) and look for an integer d that satisfies the following conditions: 

• de [dmin,dmax], 

• d is relatively prime to ri(n — l){n + 1), 

• there exists an e € {1,-1} such that d divides n + 1 — et and is relatively prime to 
(n + 1 - et)/d. 

In order to find such a d, we apply the elliptic curve factoring method to n + 1 — t and 
n + 1 + t. Since the factors we are looking for are very small, we expect to find them in time 
(logn)i+°(i). If wc find no such integer d, we go to the next fundamental discriminant —A. 

We expect to succeed in finding an integer d for some A = (loglogn)2+°(^). Also the 
expected running time of this first step is (log n)^"*""^^^. We note that the search for split 
discriminants can be accelerated using the same technique as in the J.O. Shallit fast-ECPP 
algorithm [15, 19]. 

The second step of the algorithm constructs the ring S from the couple (—A, d). Once we have 
found a quadratic order O, we compute the associated Hilbert class polynomial. Computing 
Ho{X) requires quasi-linear time in the size of this polynomial. This polynomial has degree 
^i/2+o(i) g^j^j i^gigi^^ ^i/2+o(i)^ where —A is the discriminant of O. So Hq^X) can be 
computed in time A}+°^^) . Finding a root j of Ho{X) modulo n is achieved in probabilistic 
time 

AV2+o(i)(iogn)2+°(i). 

So the time for finding this root will be {logn)'^~^°^^\ 

Once computed a root of the modular polynomial, we construct an elliptic curve E over 
R = 'LjriL having modular invariant j. We then construct a random ii!-section P on E. We 
expect one and only one among [n + 1 — t]P and [n + 1 + i]P to be equal to the zero section 
O. If this is not the case, we pick another point P. Let e G {—1,1} be such that d divides 
n + 1 — et. If we have found a section P such that [n + 1 — d\P ^ O, then we replace E 
by its quadratic twist. And wc start again with this new curve. If we have found a point P 
such that [n + 1 — €t]P = O and [n + 1 + et\P ^ O, then we multiply -P by {n + 1 — t)/d and 
obtain a section T that, we hope, has exact order d. We can test that T has exact order d 
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by checking that ijjk{x{T)) is a unit in R for every strict divisor k of d. If this condition does 
not hold, we pick another section P on E. 

Once we have found a T of exact order d, we consider the quotient isogeny / : E ^ E' . 
We compute the coefficients in the Weierstrass equation of E' thanks to Eq. (8). We do not 
write down exphcit equations for I. We look for a i?-section A on E' having exact order 
d. We let S be the residue ring of I~^{A). Elements in S are represented by vectors in 
R^. The automorphism a is the cyclic shift of coordinates. There remains to describe the 
multiplication law. To this end, we pick an auxiliary ii-section M of E such that N = I{M) 
does not cross the kernel of the dual isogeny or equivalently D{x'{N)) is a unit in R. We 
now can compute the multiplication tensor of the ring S. This tensor is given by Theorem 2. 
We just need to compute the vectors i , um, xn using the method given in Section 2.1.4. 
This requires 0((i(log(i)^loglog(i) operations in R. This finishes the construction of the ring 
S. 

The expected running time of this second step is (log n)^'^°^^^ (log n+(i^+°(^)) = (log n)^'^°^^^ 
operations in R. 

Remark. To improve memory requirements of the algorithm, we may try to replace the 
degree O(log^n) extension by a direct product of O(logn) extensions Sk, each of degree 
dk = O(logn) and each endowed with an i?- automorphism cxfe of order dk- Unfortunately, 
this product is endowed with an i2-automorphism, 11^''^*;' order Hfe'^fe) much larger than 
the rank J2k £^nd this is a serious drawback to get an efficient primality criterion. 

3.5. Example. We consider here a primality test for n = 1009. 

We first notice that dmin = ^'i(log2?^)^ + 2] = 401, and a quick search among maximal 
quadratic imaginary orders O for decreasing fundamental discriminants yields d = 479 for 
—A = —148 (and class number 2). In truth, we have 52^+3^ 148 = 4n , and the corresponding 
elliptic curve has got n + 1 — 52 (= 2 x 479) points. 

The Hilbert class polynomial associated to — A = —148 is 

H^usiX) = X^- 39660183801072000 X - 7898242515936467904000000 . 

One of its roots mod n is Je = 353, and one can check that the point T = (296,432) is of 
order d on the elliptic curve 

E :y^ + xy = x^ + 364x + 907. 

Similarly, we can check that the point M = (726, 695) is of order 958. Vein's formulae yield 
then the quotient elliptic curve, 

E/{T) ■.y'^ + xy = x^ + 130x + 233. 

We choose A = (383, 201), a point of order d on E/{T). We can check also that the image of 
M by the isogeny is equal to = (321,344), a point of order 2. 

With this setting, we can now define, without any ambiguity, a normal elliptic basis O = 
{^k)k&z/dz (see Section 2.3) and a final computation yields 

/)1009 _ a 

We check that 91 is relatively prime to 479. So T' = 91T is a point of exact order 479. 
Applying Corollary 2 with T' instead of T, we prove that 1009 is a prime. 
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4. A STRONGER CRITERION 

We now improve on the primaHty criterion of Section 3, at the expense of some more 
geometry and combinatorics. If we come back to the proof of Corollary 2, we find ourselves 
with an elliptic curve E over a field K = Fp. We are given a point T of odd order d ^ 3 and 
the corresponding automorphism a of the field of functions, 

a: K{E) — > K(^) , 
/ I — for-T- 

We also are given a function uq on E. We have an isogeny I : E ^ E', a divisor Ker/ = 

[O] + [T] + [2T] H h [(d - 1)T] and the associated K-linear space >C(Ker/) of dimension 

d lying inside 'K(E). Wc consider the Z[(j]-modulc U generated by uq inside 'K(E)* . The 
essential point is that the intersection Z// r\C(KerI) is large: the quotient {U n Z^(KerI))/K* 
has cardinality at least 2^. All the functions in this intersection have degree ^ d. We want 
to replace uq by a slightly different function and obtain an even larger set of functions with 
small degree in the corresponding monogenous Z[cr]-module. 

This section is organized as follows. Section 4.1 studies the structure of the Z-module U = 
K[i? — (T)]* of units in K[£' — (T)]. We show that the quotient module lA/'K* is monogenous 
as a Z[(T]-module and we exhibit a generator for it. Section 4.2 gives a lower bound for the 
number of functions with degree ^ (d — l)/2 in U/K.*. The resulting strengthened primality 
criterion (Corollary 3) is stated in Section 4.3. It is asymptotically twenty five times faster 
than the test resulting from Corollary 2. 

We postpone to Appendix A some of the technical results needed in the proof of the stronger 
primality criterion. The determinant needed in Section 4.1 is calculated in Section A.l. 
Section A. 2 gives a simple lower bound for binomial coefficients that is useful to prove in 
Section A. 3 a combinatorial lemma. 

4.1. A group of elliptic units. Let K be a field and E an elliptic curve over K. Let d ^ 3 
be an odd integer and let T be a point of order d in -£^(K). Let a : K(£') K(E') be the 
automorphism that sends / to / o r_r. In this paragraph, we are interested in the group U 
of functions in K(£^) having no zeros nor poles outside the group (T) generated by T. 

There is a unique multiple T of T such that T = 2T. For every k in Z/dZ, we define Uk as 
in Section 2.1.3. This is a function having two simple poles: one at kT and one at {k + 1)T. 
11 1 = 2k mod d, we set ui = Uk — uo{T) = Uk — Uk{kT + T) = uqo T_^f. Its divisor is 

{ui) = -[kT] + 2[f + kT] - [{k + l)r] = -[if] + 2[{l + l)f] - [{I + 2)f] 
and it is clear that 

n ^fceK*. (44) 

We want to prove that the Uk generate the lattice Zi/K*, or cquivalcntly that {uk)o^k^d-2 
is a Z-basis for it. Let V be the submodule of Z'^ consisting of vectors {ek)k such that 
Ylkez/dZ = 0- Let W be the sublattice of V consisting of vectors {ek)k such that ^k&.jd'L ^k = 
and Ylke7./dZ ^^k = niod d. The index of W in V is d. We construct a bijection 

V : U/K* W (45) 
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by associating to every unit u the vector consisting of its valuations at all points kT for 
k G TLjdTL. In order to prove that (ufc)o<fc<d-2 is a Z-basis for U/'K*, we consider the following 
{d — \) X d matrix, 

/ -1 2 -1 ••• \ 
-1 2 -1 ... 



0-1 ■•. ■•. : : 

: : : ■•. 2 -1 

■■■ -1 2 -1 

V -1 ••• 0-12/ 



(46) 



Wc stress that the d — 1 lines in this matrix are the images V{uk) of the iik by V , for 
^ /c ^ d — 2. We want to show that these lines form a basis of W. We call them Wk for 
< A; < d — 2. Prom equation (48) below, we deduce that the determinant of the rightmost 
(d — 1) X (d — 1) minor in the above matrix is d. So the index of the lattice generated by the 
iWk)o^k^d-2 inside V is a divisor of d. This implies that this lattice is equal to W. 

Lemma 3. Let lA C K(i?)* he the group of functions having no zero nor pole outside the 
subgroup (T) generated by T. Then U/K.* is a free Z-module and (%)o^fc^d-2 is a basis for 
it. As a 7.[a]-module, U/K.* is monogenous and uq is a generator for it. 

4.2. Elliptic units with small degree. In this paragraph, we are interested in the subset 
T of U consisting of functions in U having degree ^ (d — l)/2. Recall the definitions of V 
and W given in Section 4.1. Let X be the subset of the lattice V consisting of vectors having 
L^-norm ^ d — 1. Let be the intersection of X and W. The set T/K* is mapped bijectively 
onto J by the map V defined in Eq. (45). We want to bound from below the cardinality of 
J. 

For every k and I in Z/dZ, the map Kk,i : V ^ V is defined to be the map that increments 
the k-ih coordinate and decrements the Z-th one. There are d(d — 1) + 1 such maps. We fix 
an arbitrary total order on the set consisting of these d(d — 1) + 1 maps. For every vector 

^ = {vi)iez/dz in ^T, there is at least one map Kk,i such that Kk,l{'v^) is in J^' 

• if "u^ is already in W, we apply the identity kq^ to 'v'; 

• otherwise, we assume for instance that the Z-th coordinate is positive. We set k = 
I — Ylii^z/dz mod d and we can check that nk,i{ v) is hi W and its norm is not 
bigger than the norm of v . 

For every vector 'v' in T, we call k{1j) the image of 1? by the smallest map n^j such that 
>^k,l{ v) is in J'. This way, we define a map k : X ^ J . Every element in J has at most 
d(d — 1) + 1 preimages by k. Therefore, the sizes of X and J are related by the following 
inequation. 

We know from Lemma 5 that log #X ^ 1.74498 x d if d ^ 2001. We deduce that log # J ^ 
(1.74498 — 0.0076) x d in this case. Hence, we have the following lemma. 

Lemma 4. If d^ 2001 is an odd integer, the set T/K* consisting of elliptic units (modulo 
constants) having degree ^ (d — l)/2 has cardinality 

#(r/K*) ^ exp(1.73738 x d) . 
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4.3. A strong primality criterion. Assume that we are in the situation of Section 3. We 

are given an integer n ^ 2 and we set R = Z/nZ. Let E be an elliptic curve over R, let 
d ^ 2001 be a prime to 2n integer and let T £ E{R) be a section of exact order d. We call 
I : E ^ E' the quotient by (T) isogeny as given by Vein's formulae. Assume we are given a 
section A G E'^g{R) and call 

dA = {x'-x'{A),y'-y'{A)) 

the ideal of I~^{A) in R[E - E[d]]. We assume that D{x'{A)) is a unit in R. We call 
S = R[x, y, jf,^(^j.) ]/ {x' — x'{A),y' — y'{A)) the ring of elliptic periods. We define the functions 

{ui)ii=i/dz as in Section 2.1.3. There is a unique multiple T of T such that T = 2T. We set 
77 = uo{T) £ R. li I = 2k mod d, we set ui = — rj. We set 6k = uj- mod '^a and 9i = 9k — rj. 
Assume now that the following equality holds true in the ring S: 

{eoT = 01 ■ (47) 

Let a : R[E — (T)] — > R[E — (T)] be the automorphism induced on R[E — (T)] by the 
translation T_f, 

a: R[E-{T)] R[E - {T)] , 

/ I / O T-T ■ 

We also denote hy a : S ^ S the induced map on S. Letting a repeatedly act on Eq. (47), 
we deduce that for any k £ Z/dZ, 9^ is a power of ^o- In particular, the product Hik^fc is a 
power of 9o. But Eq. (44) tells us that this product is a unit in R. So ^0 is a unit. 

Let p be any prime divisor of n. We set a = 60 mod p G S/pS. We show that the order of 
a in [S/pSy is large. 

Let if be a vector in ^7 C Z*^. Let {wk)o^k^d~2 be the coordinates of if in the basis 
(W^fc)o^fc^d-2 of W defined at the end of Section 4.1. Let /-^ = no<fe<d-2 be the unique 
multiplicative combination of the such that V{f^ modp) = 1?, where V is the valuation 
map defined in Eq. (45). We note that mod {^a,p) = Y[o<k<d-2(^k modp)"''= is a power 
of a. Since v is in J', we know that mod p has degree ^ {d— l)/2. Let vi and V2 be two 
distinct vectors in J'. Let li and I2 be two integers that are relatively prime to p. Then /i/^ 7^ 
hf^ mod {dA,p) unless vi = V2 and li = I2 mod p. Indeed, if hf^ = hf^ mod {^a,p) then 
hf^ — hf^ mod p is a function on E mod p with degree ^ d — 1 and it cancels on the degree d 
divisor I~^{A) modp. So hfjji = hf^ modp. Therefore, and have the same divisor. 
We deduce that vi =V2. Therefore li = I2 mod p also. 

Using Theorem 3 and the lower bound in Lemma 4, we deduce the following corollary. 

Corollary 3 (Strong elliptic AKS criterion). Let n 2 be an integer and let E be an elliptic 
curve over R = TjjnL. Let T G E{R) be a section of exact order d where d ^ 2001 is a 
prime to 2n integer. Let E' be the quotient E/{T) given by Velu's formulae. Let A G E'^^R) 
be a section such that the vector e = {tk{x' {A)))i^ defined by Eq. (22) is invertible for the 
convolution product -k on R'^. Assume the congruence 

{9or = h 

holds true in the ring of elliptic periods S = R{x,y, l/'i/'d(a^)]/(ic' — x'{A),y' — y'{A)). 
Assume further that 

exp( 1.73738 x d) ^ n^. 
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Then n is a prime power. 

Appendix A. 

A.l. A determinant. We first compute a determinant that is useful in Section 4.1. For 
every integer n > 1 , we define Dn to be the determinant of the matrix defined by Eq. (46) . 

We have Di = 2 and D2 = 3. We develop the determinant Z?„ along the first column and 
find that D„ = 2Dn-i — Dn-2 for any n ^ 3. We deduce, for any n ^ 1, 

Dn = n + l. (48) 

A. 2. Lower bounds for binomial coefficients. In this paragraph, we compute effective 
lower bounds for binomial coefficients. These estimates will be useful in Section A. 3. Let 
K ^ 2 be an integer and let {d^ji^k^K be a family of positive integers. We set d = ^Kk<K 
and ajfc = d^/d. We set a = (ai, . . . , ax) and define the corresponding entropy to be 

HCa) = H{ai, . . ., ax) = — cci log ai — 02 log 0:2 oik log ax- 

We recall Robbins effective Stirling formula [21]. For every positive integer d, 

We deduce 

(27rd)^ exp(ci x Hia„ ■ ■ ■ ,<^k) + ^ - ^) ^ ( ^^^^ ^. . ) ^ 



(27rd) ' 2" exp(d x H{ai, ■ ■ ■ ^^k) + ^ - ^) ■ 



We shall need the following definition. 



Definition 1. Let (5 = (/3fc)i<fe<i<r be a family of reals in ]0, 1[ such that Yli<k<K l^k = 1- Let 

d he a positive integer. We assume [3k > ^/d for every 1 ^ k ^ K . For every integer k such 
thatl ^ setdk = [Pkd\. We observe thatdk is positive. Setdx = d—^i^^^x-i'^k- 

It is positive also. The rounded multinomial coefficient associated to d and (3 is defined to 
be 

J3 ) ~ \ di,d2, ...,dK 

In order to find a nice lower bound for this coefficient, we set = d^/d for every 1 ^ k ^ K. 
It is clear that 

1 K 

f3k - ^ ak ^ f3k , foT 1 ^ k 1^ K ~ 1, and [Sk ^ ax ^ f3K + -7 ■ 
a a 

We set /J, = max(— log(mini^fc^x(/3fc — 1/d)) — 1, 1) and we notice that for any 1 ^ k ^ K 

the derivative of 2; 1— > —2; log 2; is bounded by /x in absolute value between ak and Pk- Since 

\Pk — Cik\ ^ ^/d when 1 ^ k ^ K — 1 and \(3k — oik\ ^ K/d, we deduce 

\H{ai,a2, . . . ,aK) - H{l3i, (32, ■ ■ ■ , I3k)\ ^ • 

And thus, 

-log(^j=,ff(,3)-^ + i J_^ + _/___j. (49) 
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A. 3. An enumeration problem. Let d ^ 3 be an odd integer. We are interested in the 
set of vectors ~e = {ei, 62, ■ ■ ■ , e^) in Z*^ such that the sum Yli^k^d coordinates is 

zero and the L-'^-norm ^]^<^<(^ le^j of "e^ is d — 1. 

We look for a lower bound for the cardinality of S^- To every vector ~e S^, we associate 
a partition of {1,2, . . . ,d} in three sets Eq, E^, E^ corresponding to the indices with zero, 
positive and negative coordinates respectively. The sum of positive coordinates equals (d — 
l)/2. The sum of negative coordinates equals —{d — l)/2. 

We fix a real number (3 G]0, |[ and define the subset 5^^^ C 5^ consisting of vectors in S 
having exactly [Pd\ positive coordinates and lPd\ negative coordinates. We assume pd^ 1. 
The number of elements in S^^p is 

^ ( m , m,d - 2 m ) ( Jdi - 1) ( m - O " 

The first factor in the product above is the number of corresponding partitions EqDE-^-UE^ . 
The second factor is the number of ways one can write {d — l)/2 as a sum of \_Pd\ strictly 
positive integers. The third factor is the number of ways one can write — (d — l)/2 as a sum 
of \_Pd\ strictly negative integers. 

We want to choose the real /3 so as to make the product in Eq. (50) as big as possible. The 
logarithm of this product divided by n tends to H{l3, /?, 1 — 2/3) + -ff (2/3, 1 — 2/3) as n tends 
to infinity. This expression is maximal for (5 = 1/(2 + ^/2) and its value is then bigger than 
1.7627. We set P = l/{2 + V2) and we look for an effective lower bound for every factor in 
Eq. (50). 

We first apply Eq. (49) for K = 3, ^ = (/3,/3, 1 - 2/3), = 1, if(/3,/3, 1 - 2/3) ^ 1.08439 
and d ^ 2001. We find that 

d^°g( m,m,d-2m ) ^1-08439 -0.00781 = 1.07658. (51) 

We now notice that [/3dJ - 1 ^ ((d - l)/2 - 1) /2 and [/3'(d - 3)J ^ [pd] - 1 provided 
P'/P ^ d/(d - 3), which is guaranteed by setting /3' = 0.29334. So, 

d-l 1 \ / d—3 

~ ~ M ^ / 2 



m-ij^\i2p"-f^\)- ^^^^ 

We then apply Eq. (49) for isT = 2, ^ = (2/3', 1 - 2/3'), A* = 1, H{2P', 1 - 2/3') ^ 0.678, and 
d ^ 999. We find that 

If we substitute d by (d — 3)/2 in the above formula, we obtain, for d ^ 2001, 

S'<'s(^23X3j)5'0-6«ii>5x!^;> 0.3342. (53) 

Combining Eqs. (50), (51), (52), and (53), we deduce the following lemma. 

Lemma 5. Let d ^ 2001 be an odd integer and let C Z*^ be the set of vectors having 
L^-norm equal to d — 1 and the sum of all coordinates equal to 0. We have 

log #Sd ^ 1.74498 X d. 
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